lintai docs

Appearance

Rule Reference

SEC377lintai-ai-securityguidancequalitypreviewmarkdownwarn

Copilot instructions: invalid `applyTo` glob

Path-specific GitHub Copilot instruction markdown has an invalid `applyTo` glob pattern

Public lane
guidance
Category
quality
Provider
lintai-ai-security
Scope
per-file
Surface
markdown
Tier
preview
Severity
warn
Confidence
high
Detection
structural
Remediation
message only
How to read this lane

Advice-oriented guidance and maintainability review.

How to read this category

Contract, schema, or config correctness signal.

Activation Model

Preset Activation

These presets explain where this rule appears in the product experience.

guidancesidecar lane

Lifecycle

Preview Lifecycle Contract

State

preview

Promotion blocker

Invalid `applyTo` glob patterns on path-specific Copilot instruction files are deterministic, but the first release stays guidance-only while ecosystem usefulness is measured.

Promotion requirements

Needs corpus-backed precision review, external usefulness evidence, and completed stable checklist metadata.

Canonical note

Structural preview rule; deterministic today, but the preview contract may still evolve.

Nearby Signals

Related Rules

SEC353Copilot instructions: exceeds 4000 charsGitHub Copilot instruction markdown exceeds the 4000-character guidance limitguidancequalitymarkdown
SEC354Copilot instructions: missing `applyTo`Path-specific GitHub Copilot instruction markdown is missing `applyTo` frontmatterguidancequalitymarkdown
SEC355AI markdown: wildcard tool grantAI-native markdown frontmatter grants wildcard tool accessguidancehardeningmarkdown
SEC356Plugin agent: `permissionMode` in frontmatterPlugin agent frontmatter sets `permissionMode`guidancequalitymarkdown
SEC357Plugin agent: `hooks` in frontmatterPlugin agent frontmatter sets `hooks`guidancequalitymarkdown
SEC358Plugin agent: `mcpServers` in frontmatterPlugin agent frontmatter sets `mcpServers`guidancequalitymarkdown

Why It Matters

SEC377 flags path-specific GitHub Copilot instruction files when applyTo is present with the right shape but contains an invalid glob pattern.

This is useful because:

  • Copilot path-specific instructions rely on applyTo to target files consistently
  • an invalid glob can look valid in review while silently failing to match the intended files
  • this stays a strict config-contract check with no prose heuristics

This rule lives in the explicit guidance lane because the issue is deterministic configuration quality and reviewability, not a headline exploit-style security claim.

Trigger Shape

  • file path is .github/instructions/*.instructions.md
  • frontmatter parses successfully
  • applyTo is a string or list of strings
  • at least one applyTo pattern fails deterministic glob compilation

Clean Cases

  • applyTo: "**/*.rs"
  • applyTo: ["**/*.rs", "**/*.ts"]
  • fixture/test/example copies
  • files already caught by missing/invalid-shape rules instead

Example Trigger

md
---
applyTo: "[unclosed"
---

Safer Example

md
---
applyTo: "**/*.rs"
---

How To Fix

  • replace invalid applyTo patterns with valid globs
  • keep path-specific Copilot instructions on reviewed, testable file patterns